The recent bankruptcy of 23andMe, a major direct-to-consumer DNA testing company, has raised concerns about the future of sensitive customer data, including personal health details and genetic profiles.
23andMe, based in California, was one of the first companies to popularize at-home DNA testing kits. Customers submitted saliva samples to receive ancestry and health-related insights. Since its launch in 2006, the company grew to become one of the largest collectors of personal genetic data in the private sector, with more than 15 million users worldwide, including hundreds of thousands in Canada.
In addition to DNA analysis, 23andMe collected information from user-completed surveys that included lifestyle choices, medical history, mental health and behavioural tendencies. Experts say this combination created an unusually detailed personal profile, increasing the potential for misuse if the data were to fall into the wrong hands.
On March 28, a U.S. bankruptcy judge authorized 23andMe to include customer genetic and survey data in its asset sale process. The ruling followed the company’s March 24 filing for Chapter 11 protection, as it seeks to restructure amid declining demand and fallout from a major data breach in 2023.
Under U.S. bankruptcy law, a company’s customer database can be considered a valuable business asset. The judge’s decision to allow 23andMe to proceed with the sale of user data has sparked concern among privacy experts, who warn that existing privacy protections could be weakened under financial pressure.
According to the company, more than 85 per cent of users agreed to share both genetic and survey data for research or commercial purposes. The data included not only genetic traits but also details related to health conditions, habits and personality.
The 2023 breach exposed sensitive information from nearly seven million users, including names and ancestry data. While no financial information was reported stolen, cybersecurity analysts noted that combining genetic and personal survey data increases the risk of identity theft, profiling and surveillance.
Kayte Spector-Bagdady, a bioethics professor at the University of Michigan, has said that personal data related to a person’s fears, habits and emotional vulnerabilities is not only valuable to marketers and researchers but also highly exploitable.
Experts have also raised questions about whether anonymized genetic data is truly secure. Machine learning systems can now cross-reference multiple datasets to reverse-engineer user identities, even if names are removed.
The case has drawn comparisons to the 2018 investigation into the Golden State Killer, in which law enforcement used DNA from a genealogy website, GEDmatch, to identify a suspect through a distant relative. Although the platform’s privacy policy was not designed for law enforcement use, it played a central role in solving a decades-old case. The incident highlighted the unpredictable ways in which genetic data can be accessed and used.
Cybersecurity remains a growing issue in the health and genetics sectors. A 2024 report by found that 65 per cent of the largest hospital networks in the United States had experienced recent data breaches, and nearly 80 per cent scored poorly on cybersecurity readiness.
The potential sale of 23andMe’s database has raised privacy concerns in Canada as well. Private health providers and tech companies operating in Canada are under increasing scrutiny over how personal and medical data is collected, stored and shared.
As of mid-April, the U.S. House Committee on Oversight and Government Reform has requested testimony from 23andMe co-founder Anne Wojcicki regarding the handling of customer data during the bankruptcy process.
The company has stated that any buyer must comply with its existing privacy policies, and customers retain the option to request deletion of their data.
©
The commentaries offered on Â鶹´«Ã½AV.ca are intended to provide thought-provoking material for our readers. The opinions expressed are those of the authors. Contributors' articles or letters do not necessarily reflect the opinion of any Â鶹´«Ã½AV.ca staff.
